Skip to content

Embedding Security Behaviour Change

How will you embed the desired security behaviours and culture in your organisation?

Last Updated 05 October 2021

Security behaviour change requires a clear vision as well as a coordinated strategy to ensure that interventions are consistent, practical and meaningful.

Before embarking on a change programme, however big or small, it is critical that an organisation is clear on the following:

  • The objectives of the change (i.e. the vision or strategy)
  • The size and scale of the change (i.e. the gap between where the organisation is now and where it wants to be)
  • The actions to implement the change (i.e. the interventions)
  • The organisation is ready for the change (i.e. it has the necessary time, resources and buy-in)
  • How to communicate the change to the target audience and other key stakeholders (i.e. the communications strategy)
  • How to review and evaluate the impact of the change (i.e. the measures of success and key performance indicators)

There is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.  

CPNI has developed the 5 E’s approach to organisational behaviour change. This provides some overarching principles that organisations are advised to follow when developing a security change programme, drawing on latest behaviour change theory.

Listed below are CPNI's off-the-shelf security behaviour change campaigns and guidance documents that you are welcome to use for free.

    Workplace Behaviours poster

    Embedding security savvy behaviours in the workplace

    Employee Vigilance poster

    Embedding vigilance behaviours when entering or leaving a site

    My Digital Footprint front cover

    Embedding security savvy behaviours online

    'Don't take the bait!' poster

    Raising awareness of phishing and spear-phishing

    Social Engineering poster

    To advise security managers about the threat of social engineering and what steps they can take to mitigate this

    New employees folder stack

    Guidance on providing security information during the first 12 months of the employee lifecycle

    Line Managers Campaign front cover

    Advice to help managers recognise the important role they play in developing a good security culture

    Think Before You Link poster

    Raising awareness of threats on social media and professional networking sites

    Did you find this page useful? YesNo
    Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
    Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.